This link does says that all the boxes configured in the virtual cluster must be in same public & private subnets.
These restrictions apply to load-balancing on VPN 3000 Concentrators:
Load-balancing can only occur with Cisco Release 3.x (or later) IPsec VPN Clients-to-LAN connections. Earlier VPN Clients can still connect to their target Ethernet2 (public) port IP address within the cluster.
Note: Load balancing can still work if both VPN Concentrators do not have the same software version loaded on them.
VPN virtual cluster IP address, User Datagram Protocol (UDP) port, and shared secret must be identical on every device in the virtual cluster.
All devices in the virtual cluster must be on the same public and private IP subnets.
A filter has to be applied on both public and private interfaces. The defaults are:
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...